服务端支持ldap的tls加密传输
参考链接 https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/
-
安装openssl
yum -y install openssl
-
生成加密私钥
openssl genrsa -des3 -out ca.key 2048
-
生成CA证书
openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem
-
生成LDAP客户端密钥
openssl genrsa -out ldap.client.key 2048
-
创建证书签名请求(CSR)
openssl req -new -key ldap.client.key -out ldap.client.csr
-
创建LDAP客户端证书
openssl x509 -req -in ldap.client.csr -CA ca.cert.pem -CAkey ca.key -out ldap.client.crt -CAcreateserial -days 365 -sha256 -extfile server_cert_ext.cnf
-
验证客户端证书
openssl x509 -noout -text -in ldap.client.crt
-
拷贝证书到ldap路径
cp -v ldap.client.crt ldap.client.key /etc/openldap/certs/ mkdir /etc/openldap/cacerts/ cp -v ca.cert.pem /etc/openldap/cacerts/
-
查看ldap配置
slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile"
-
修改ldap配置
vi tls7.ldifdn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldap.client.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.client.key
-
加权限
chmod 777 /etc/openldap/certs chmod 777 /etc/openldap/cacerts
-
执行修改
ldapmodify -Y EXTERNAL -H ldapi:// -f tls7.ldif
-
修改ldap配置
vi tls7_1.ldifdn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/cacerts/ca.cert.pem
-
执行修改
ldapmodify -Y EXTERNAL -H ldapi:// -f tls7_1.ldif
-
查看ldap配置
slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile|olcTLSCACertificateFile" 输出下面代表配置无误: olcTLSCertificateFile: /etc/openldap/certs/ldap.client.crt olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.client.key olcTLSCACertificateFile: /etc/openldap/cacerts/ca.cert.pem
-
修改ldap配置文件,支持ldaps
vi /etc/sysconfig/slapd SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
-
修改ldap配置文件支持证书
vi /etc/openldap/ldap.conf TLS_REQCERT allow TLS_CACERT /etc/openldap/cacerts/ca.cert.pem
-
重启ldap
systemctl restart slapd
-
验证是否成功
ldapsearch -x -ZZ 输出下面代表配置完毕 # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1
-
查看ldap启动服务,查看ldaps是否启动,ldaps使用的是636端口
netstat -tunlp|grep slapd 输出 tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1138/slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1138/slapd tcp6 0 0 :::636 :::* LISTEN 1138/slapd tcp6 0 0 :::389 :::* LISTEN 1138/slapd
客户端 java支持ldaps
参考链接 https://support.google.com/cloudidentity/answer/9089736?hl=zh-Hans
-
转换java密钥库格式
linux或mac执行 openssl pkcs12 -export -out java-application-ldap.pkcs12 -in ldap.client.crt -inkey ldap.client.key widows执行 certutil -mergepfx ldap.example.crt ldap.pkcs12
-
将证书导入密钥库
keytool -v -importkeystore -srckeystore java-application-ldap.pkcs12 -srcstoretype PKCS12 -destkeystore java-application-ldap.jks -deststoretype JKS
-
Java 属性的配置方式可能会因应用而有所不同。通常来说,您可以在用于启动应用的“java”命令行上使用 -D 选项设置属性。为您的应用设置 Java 属性:
javax.net.ssl.trustStore= /<path-to>/java-application-ldap.jks javax.net.ssl.keyStore = /<path-to>/java-application-ldap.jks javax.net.ssl.keyStorePassword = <password selected above> javax.net.ssl.trustStorePassword=<password selected above>
-
在docker环境dockfile修改startup.sh,并且把上面生成的java-application-ldap.pkcs12放在adapter配置文件路径
java -jar -Dspring.config.location=/ruijie/sourceid/adapter/conf/ -Dlogging.config=/ruijie/sourceid/adapter/conf/logback.xml -Djavax.net.ssl.trustStore=/ruijie/sourceid/adapter/conf/java-application-ldap.jks -Djavax.net.ssl.keyStore=/ruijie/sourceid/adapter/conf/java-application-ldap.jks -Djavax.net.ssl.keyStorePassword=123456 -Djavax.net.ssl.trustStorePassword=123456 -Xmx512m -Xms256m $JAVA_OPT_EXT /app/xxx.jar